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Abstract 

This paper presents DAIDALUS (Detect and 
Avoid Alerting Logic for Unmanned Systems), a ref- 
erence implementation of a detect and avoid concept 
intended to support the integration of Unmanned Air- 
craft Systems into civil airspace. DAIDALUS consists 
of self-separation and alerting algorithms that provide 
situational awareness to UAS remote pilots. These al- 
gorithms have been formally specified in a mathemat- 
ical notation and verified for correctness in an interac- 
tive theorem proven The software implementation has 
been verified against the formal models and validated 
against multiple stressing cases jointly developed by 
the US Air Force Research Laboratory, MIT Lincoln 
Laboratory, and NASA. The DAIDALUS reference 
implementation is currently under consideration for 
inclusion in the appendices to the Minimum Opera- 
tional Performance Standards for Unmanned Aircraft 
Systems presently being developed by RTCA Special 
Committee 228. 
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Northern, eastern, and altitude compo- 
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Introduction 

NASA’s Unmanned Aircraft Systems Integration 
in the National Airspace System (UAS in the NAS) 
project aims to develop key capabilities to enable 
routine and safe access of public and civil use un- 
manned aircraft systems (UAS) to non-segregated 
airspace operations. As paid of the UAS in the NAS 
project, NASA has developed a detect and avoid 
(DAA) concept for UAS [1] that extends the sense 
and avoid (SAA) 1 concept outlined in the final report 
of the FAA-sponsored Sense and Avoid Workshop 
for UAS [2], wherein sense and avoid is defined as 
“the capability of a UAS to remain well clear from 
and avoid collisions with other airborne traffic.’’ In 
support of this capability, the NASA DAA concept 
includes a mathematical definition of well clear to 
characterize a well-clear boundary and a suite of 
algorithms that provide situational awareness of this 
well-clear boundary to UAS operators. 

The well-clear boundary defines a volume, re- 
ferred to as the well-clear violation volume (WCV), 
such that aircraft pairs jointly occupying this volume 
are considered to be in a well-clear violation [3], 
This volume is intended to be both large enough to 
prevent safety concerns for controllers and see-and- 
avoid pilots and small enough to avoid disruptions 
to traffic flow. Formally, the WCV is defined by a 
boolean predicate on the states of two aircraft, i.e., 
their position and velocity vectors at the current time. 
In particular, two aircraft arc well clear of each other 
if appropriate distance and time variables, determined 
by the relative aircraft states, remain outside a set 
of predefined threshold values. These distance and 
time variables are closely related to variables used 
in the Resolution Advisory (RA) logic of the Traffic 
Alert and Collision Avoidance System II Version 7. 1 
(TCAS II) [4], 

The NASA DAA concept includes a suite of 
algorithms called DAIDALUS (Detect and Avoid 
Alerting Logic for Unmanned Systems). The top-level 
functionality provided by DAIDALUS is situational 
awareness to UAS operators in the form of maneuver 
guidance intended to aid in: 

1) maintaining well-clear status, or 

2) regaining separation if a well-clear violation has 

'The terms sense and avoid and detect and avoid are both used 
interchangeably in UAS literature. 


already occurred or a well-clear violation is 
unavoidable. 

DAIDALUS includes algorithms for determining 
the well-clear status between pairs of aircraft at the 
current time and for predicting a well-clear viola- 
tion within a given lookahead time, assuming non- 
maneuvering trajectories. In the case of a predicted 
well-clear violation, DAIDALUS also computes the 
time interval of the well-clear violation. Furthermore, 
DAIDALUS implements algorithms for computing 
conflict bands, assuming a simple kinematic trajectory 
model for the ownship aircraft. These bands represent 
ranges of track (or heading), ground speed (or ground 
track), and vertical speed maneuvers that arc predicted 
to result in well-clear violation with one of more 
traffic aircraft within a given lookahead time. Conflict 
bands arc intended to provide information to the UAS 
remote pilot and assists the pilot in selecting trajec- 
tories that will remain well clear of other aircraft. 
When aircraft are not well clear, or when a well- 
clear violation is unavoidable, DAIDALUS computes 
well-clear recovery bands, which represent ranges 
of horizontal and vertical maneuvers that a remote 
pilot may take to regain well-clear status within the 
minimum possible time, while minimizing collision 
risk. Recovery bands are designed so that they do 
not conflict with RA maneuvers generated by systems 
such as TCAS II. Finally, DAIDALUS also imple- 
ments two configurable alerting algorithms that return 
an integer value indicating the level of alert. The 
lowest possible returned alert level is zero, which 
indicates that no alert has been issued. Higher alert 
levels correspond to increased levels of threat of a 
well-clear violation. 

DAIDALUS is currently under consideration for 
inclusion as the DAA reference implementation of 
the RTCA Special Committee 228 Minimum Opera- 
tional Performance Standards (MOPS) for Unmanned 
Aircraft Systems. The remainder of this paper dis- 
cusses the high-level architecture of DAIDALUS, 
its data requirements, and functional specifications. 
It also describes the validation and verification ef- 
forts aimed at increasing the confidence that the 
software correctly implements its functional require- 
ments. The DAIDALUS software library is released 
under NASA’s Open Source Agreement. 2 The formal 

2 http://www.github.com/nasa/wellclear. 
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crew interface 


Figure 1. High-Level Architecture of DAIDALUS 

models of the algorithms implemented in DAIDALUS 
are written in the mathematical notation of the Pro- 
totype Verification System (PVS) [5]. 

DAIDALUS 

DAIDALUS is a software implementation in- 
tended to satisfy the operational and functional re- 
quirements detailed in NASA’s DAA concept of inte- 
gration for UAS [1]. The high-level functional rela- 
tionship between the DAIDALUS implementation and 
the surveillance data sources, separation standards, 
and crew interface is depicted in Figure 1. 

In particular, DAIDALUS provides algorithms 

that: 

1) determine the current, pairwise well-clear status 
of the ownship and all aircraft inside its surveil- 
lance range, 

2) compute maneuver guidance in the form of 
ranges of maneuvers that a pilot-in-command 
(PIC) may take that will cause the aircraft to 
maintain or increase separation from the well- 
clear violation volume, or allow for recovery 
from loss of separation in a timely manner 
within the performance limits of the ownship 
aircraft, and 

3) determine the corresponding alert type, based 
on a given alerting schema, corresponding to 
the level of threat to the well-clear volume. 

The functionalities provided in 1), 2), and 3) are 
respectively referred to as detection, determine- 
processing, and alerting logic, as illustrated in Fig- 
ure 1. 


Constant-Velocity 
Projection Along 

Ownship^ f = f o ^ Lookahead Time, T 

Intruder 

Figure 2. Constant Velocity Aircraft Projection 

The detection logic computes a time interval 
of well-clear violation. The predictions made by 
the detection logic are based on pairwise, constant- 
velocity projections over a given lookahead time. 
These linear projections are illustrated in Figure 2. 
The own aircraft is referred to as the ownship, and 
each traffic aircraft is referred to as an intruder. 

The maneuver guidance provided by DAIDALUS 
is presented in the form of conflict bands, i.e., 
ranges of ownship maneuvers that lead to a well- 
clear violation, or recovery bands, i.e., ranges of 
ownship maneuvers that recover from a present or 
unavoidable well-clear violation. The predictions used 
to compute these bands arc based on constant turn rate 
and constant acceleration projections of the ownship, 
and constant-velocity projections of traffic aircraft. 
Three types of bands are provided by DAIDALUS: 
(1) track ranges (or heading, if wind information is 
provided), (2) ground speed ranges (or air speed, if 
wind information is provided), (3) and vertical speed 
ranges. As a notional example, Figure 3 illustrates 
state projections for the ownship and intruder aircraft 
used in the computation of track conflict bands. 

Conflict bands may be either preventive or cor- 
rective. A band is preventive if no well-clear violation 
is predicted along the ownship’s current velocity 
vector, up to the lookahead time, but some maneuver 
made by the ownship within its performance limita- 
tions would result in a well-clear violation within the 
lookahead time. A band is corrective if a well-clear 
violation is predicted to occur along the ownship’s 
current velocity vector within the lookahead time. A 
corrective band becomes a recovery band if loss of 
well clear has already occurred, or cannot be avoided. 
The recovery band provides maneuver guidance to 
regain well-clear status in the minimum time within 
the ownship performance limits. 

Figure 4 depicts a conceptual view of 
the determine -processing functionality provided by 
DAIDALUS, where track bands are shown for an ex- 
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Figure 3. State Projections with Conflict Bands 


ample encounter at four discrete times. The outer cir- 
cle around the ownship represents the self-separation 
threshold (SST), which is the area relevant to the 
determine processing function. The inner gray area 
around the ownship represents the well-clear violation 
volume, i.e., the WCV. 3 A description of the deter- 
mine processing behavior for several times of interest 
using the example encounter from Figure 4 follows. 

• At time t = to, the ownship and intruder aircraft 
are depicted in their initial configuration. Since 
the intruder aircraft is outside the SST, no bands 
are displayed for the ownship. 

• At time t -t\, the ownship and intruder aircraft 
are at their new positions with the intruder inside 
of the SST of the ownship. Thus, the maneuver 
guidance calculated by DAIDALUS is presented 
as preventive bands (shown in amber in Fig- 
ure 4), signifying the range of track maneuvers 
the ownship should avoid since they would lead 
to a well-clear violation within the lookahead 
time. 

• At time t = t 2 , the ownship and intruder en- 
counter has evolved in such a way that the 
preventive bands from time t\ have become cor- 
rective bands, i.e., the conflict track band has 
grown to include the ownship’s current track. 
Continuing along a constant velocity is predicted 

3 The actual shapes of the SST and WCV depend on the aircraft 
states. 



Figure 4. Maneuver Guidance Bands 


to lead to a well-clear violation. 

• At time t = t$, the intruder is now within the 
WCV of the ownship, and a well-clear violation 
has occurred. Thus, recovery bands are now 
computed (shown as a dashed green arc). They 
provide guidance to the UAS operator as to the 
range of maneuvers within ownship performance 
limits that will allow the UAS to regain well clear 
in a timely manner. 

DAIDALUS implements two alternative alerting 
schemas. One schema is based on the prediction of 
well-clear violations for different sets of increasingly 
conservative threshold values. The second schema is 
based on the types of bands computed for a single set 
of threshold values, which can be either preventive 
or corrective. In general, both schemas yield alert 
levels that increase in severity as a potential pairwise 
conflict scenario increases in risk. The actual alert- 
ing schema for NASA’s DAA concept is still under 
development. 

Data Requirements 

Table I defines the minimum input requirements 
for the ownship and traffic aircraft. DAIDALUS ac- 
cepts a wide set of units, including time and distance 
units from the International System of Units (SI). 
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Table I. Data input requirements 


Table III. Data output requirements 


Ownship 

Traffic 

Identifier, e.g., call sign 

Identifier, e.g., call sign 

Latitude 

Latitude 

Longitude 

Longitude 

Altitude 

Altitude 

Ground speed 

Ground speed 

Airspeed (optional) 

- 

Ground track 

Ground track 

Heading (optional) 

- 

Vertical speed 

Vertical speed 


Table II. Configurable parameters 


Parameter 

Default value 

Turn rate 

3 deg/s 

Bank angle 

30 deg 

Horizontal acceleration 

2 m/s 2 

Vertical acceleration 

2 m/s 2 

Minimum ground speed 

0 knots 

Maximum ground speed 

700 knots 

Minimum vertical speed 

-5000 fpm 

Maximum vertical speed 

5000 fpm 

Track step 

1 deg 

Ground speed step 

1 knot 

Vertical speed step 

10 fpm 


Northern latitudes and eastern longitudes are positive. 
Track and heading are provided in a clockwise from 
true north convention. If airspeed and heading are 
provided for the ownship, this information is used 
in conjunction with ground speed and ground track 
to compute local winds. The DAIDALUS algorithms 
then apply this wind information to aircraft current 
states for predicting aircraft trajectories and for com- 
puting guidance maneuvers. 

The DAIDALUS bands algorithm uses the con- 
figurable parameters in Table II, whose default values 
are listed in the second column. The default values 
can be changed through the programming interface or 
via configuration files. Not all parameters in Table II 
are required. In particular, either one of turn rate or 
bank angle can be specified to compute track bands 
(heading bads, if wind information is provided). Hor- 
izontal acceleration is only used to compute ground 
speed bands (airspeed bands, if wind information is 
provided). 

Table III shows the set of DAIDALUS outputs. 
The second column in the Table III indicates whether 


Output 

Approach 

Time interval of violation 

lxl 

Track bands 

lxN 

Ground speed bands 

lxN 

Vertical speed bands 

lxN 

Alerting level 

lxl 


the output is computed using a lxl approach, i.e., 
pairwise, or a lxN approach, i.e., ownship vs. traffic 
aircraft. Each set of bands consists of a list of inter- 
vals, representing ranges of maneuvers, and a list of 
elements of the enumerated type: NONE, CONFLICT, 
RECOVERY. The enumerated types CONFLICT and 
RECOVERY identify conflict and recovery maneuvers, 
respectively. The enumerated type NONE represents 
maneuvers that do not lead to well-clear violations. 
In the case of recovery bands, the minimum time 
to recover from well-clear violation, within the air- 
craft performance limitations, is also computed. When 
wind information is available, heading bands and 
airspeed bands are computed instead of track bands 
and ground speed bands, respectively. 

Functional Requirements 

This section describes the underlying mathemat- 
ics and logic of the DAIDALUS algorithms. All 
of the algorithms implemented in DAIDALUS have 
corresponding formal specifications written in the 
mathematical notation of the Prototype Verification 
System (PVS) [5]. Furthermore, these algorithms have 
also been verified for functional correctness in PVS. 

The algorithms presented in this section assume 
an Euclidean 3-dimensional coordinate system. This 
coordinate system is based on a projection of the 
ownship and traffic geodesic coordinates into the 
plane that is tangent to the the Earth at sea level 
at the ownship’s position. The following definitions 
arc assumed. For convenience, the formulas below 
arc presented in a relative coordinate system where 
the intruder aircraft is at the origin and the ownship 
is moving relative to the intruder, i.e., s = s„ -S; and 
V = Vo-V,-. 

• Horizontal range: 

r(t ) = ||s + fv|| = ^s 2 + 2t(s- v) +t 2 \ 2 . 
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• Time to Horizontal Closest Point of Approach 
(TCPA): 

, _ ( — if v * 0, 

fcpa(s,v)_| J oth e r wise. 

• Horizontal Distance at TCPA: 

dc :pa(S,v) = (t cpa (s,v)) = ||s + t cpa (s, v)v|| . 

• Vertical range at time t: 


r z (t) = \s z +tv z \. 


• Time to Co-Altitude: 


tco*(s z ,v z ) 


i f s z v z < 0, 

- 1 otherwise. 


• Modified Tau: 


and 


Vertical_WCV(s 7 , v 7 ) = 

( 3 ) 

|j z | < ZTHR or 0 < f coa (s z ,v 7 ) < TCOA. 
Detection Logic 

The well-clear detection logic is implemented by 
the function detection defined in Formula (4). This 
function has as inputs the states of the ownship and 
intruder aircraft, own and int, respectively, and a 
lookahead time interval [ B. T \ . The function returns 
a time interval [ t, n , t 0M ] within \B,T\. If t, n < t ou „ the 
time t in represents time to well-clear violation and 
t om represents the time to exit well-clear violation, 
assuming constant velocity. The returned time interval 
is empty, i.e., t,„ > t om , if the aircraft are not predicted 
to be in violation within the interval [/?, T], Typically, 
the value of B is set to 0. However, the functions 
below allow for an arbitrary lookahead time interval 
[B,T], provided that 0 < B <T. 


Tno d(S,V) = 


DM0D 2 -s 2 

S-V 

-1 


if s • v < 0, 
otherwise. 


Well- Clear Logic 


detection(own, int.B.T) : R 2 = 
let (s,s 7 ) = own.pos- int.pos, 

(v, v 7 ) = own.vel - int.vel in 
det_WCV(s, s z , v, v z , 5, T), 


The well-clear logic is implemented by the 
boolean function WCV defined in Formula (1). This 
function has as inputs the states of the ownship and 
intruder aircraft, own and int, respectively. The func- 
tion returns the value true if and only if the aircraft 
are in well-clear violation at the current time. The 
threshold values are configurable parameters of the 
logic. By default, they arc set to the following values: 
DMOD = HMD = 4000 ft, ZTHR = 450 ft, TAUMOD=35 s, 
TCOA = 0 s. Note that it is assumed that HMD = DMOD. 

WCV(own, int) 

let (s,s 7 ) = own.pos- int.pos, 

(v, v z ) = own.vel - int.vel in (1) 
Horizontal_WCV(s,v) and 
Vertical_WCV(s 7 , v 7 ), 

where 

Horizontal_WCV(s,v) = 

||s|| < DMOD or (2) 

(d cpa (s,v) < HMD and 0 < r mod (s,v) < TAUM0D), 


where the function det_WCV is defined in the Ap- 
pendix. 

Determine-Processing Logic 

The well-clear determine-processing algorithm 
is implemented in DAIDALUS by functions that 
compute maneuver guidance bands, i.e., conflict or 
recovery bands. When the computed conflict bands 
cover the full range of possible maneuvers, e.g., when 
the aircraft are in well-clear violation, DAIDALUS 
provides recovery bands. Recovery bands represent 
ranges of track, ground speed, and vertical speed for 
the ownship that lead to well-clear status in a timely 
manner. Computation of conflict and recovery bands 
is discussed subsequently. 

Conflict bands are computed by incrementally 
projecting the maneuvers the ownship may take, 
within its specified performance limitations, up to the 
time such that a maneuver achieved. Subsequently, the 
ownship state is projected along a constant velocity 
trajectory for the the remainder of the lookahead time, 
i.e., the lookahead time T less the time to achieve 
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the initial maneuver. Furthermore, each traffic aircraft 
is projected along a constant-velocity trajectory over 
the entire lookahead time. Together, these projections 
result in a set of maneuver guidance bands based on 
the most recently updated state information and are 
therefore influenced by, for example, sensor uncer- 
tainty and the particular - update rate in use. 

Recovery bands are computed by finding the 
smallest time, t, which is less than the lookahead time, 
T, such that the ownship and intruder are well clear 
when the aircraft states are projected to time t. In 
particular, these projections are made iteratively for 
increasing candidate values of t (less than T) over 
ranges of maneuvers maneuvers within the ownship’s 
performance limits. Thus, t represents the smallest 
(first) time at which the ownship may escape a well- 
clear - violation. The well-clear recovery bands algo- 
rithm guarantees that before time t, the aircraft do not 
violate a given minimum horizontal separation D and 
a given minimum vertical separation H. The values 
of D and H are configurable parameters. The default 
values of D and H are set to the DMOD and ZTHR 
threshold values corresponding to the TCAS II RA 
logic. 

At the core of the functions to compute track, 
ground speed, and vertical speed bands is a generic, 
pairwise algorithm bands_lxl, defined by For- 
mula (5), that returns a set of intervals containing 
maneuvers that yield well-clear - violations for a given 
kinematic trajectory. This algorithm has as inputs: 

• the relative state of the aircraft, 

• a lookahead time interval, \B,T\, 

• a current maneuver value for the ownship, c, 

• respective minimum and maximum values, « min 
and u m . dX , for the maneuvers, 

• a maneuver step, e, 

• an acceleration, a, for the maneuver, 

• horizontal and vertical distances D and H , and 

• respective position and velocity functions, p and 
v, which kinematically project the relative state 
of the aircraft for a given time using a constant 
acceleration. 

Typically, the value of B is 0. When this value is non- 
zero, the algorithm bands_lxl also includes ranges 
of values that violate the minimum separation, given 
by D and //, before the time T . This configuration is 


useful when computing recovery maneuvers. 

band s_ 1 x 1 (s, v, s z , v z , B, T, c, u^, w max , e, 
a,D,H,p, v) : set[R 2 ] = (5) 

left_lxl(. . .) U right_lxl(. . .). 

The auxiliary functions left_lxl and right_lxl 
are defined in the Appendix. These functions have 
the same parameters as bands. 


From bands_lxl, the generic algorithm bands, 
defined by Formula (6), computes maneuver bands 
for an ownship and a set of traffic aircraft. In this 
function, the parameters own and traf represent the 
state of the ownship and a set of states for all traffic 
aircraft, respectively. 

bands(own, traf, B, T, c, w max , e, a, 

D,H,p,v ) : set[R 2 ] = 

/3:=0; 

foreach int in traf do 
let (s, s z ) = own.pos - int.pos, 

( 6 ) 

(v, v z ) = own.vel - int.vel in 
ft := ySUbands_lxl(s,v,5 z ,v z ,B,r, 

A Ailin; ^max; A A D,H,p,v)\ 

endforeach 
return /j, 

where *:=’ denotes the assignment operator, and 
denotes the sequential operator for imperative pseu- 
docode. 


The maneuver ranges computed by the algorithm 
bands correspond to intervals of type CONFLICT. 
Intervals of type NONE are computed as the comple- 
ment of the union of these intervals with respect to 
|w m in,M ma xl- The algorithms that compute track, ground 
speed, and vertical speed for a given lookahead time, 
T, are defined using the following functions. 

trk_bands(own,traf,T) : set[R 2 ] = 
bands(own, traf, 0, T, trk(own), -n, n, (7) 

TrlcStep, TurnRate, 0, 0, TrkPos, TrkVel), 
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gs_bands(own, traf.T) : set[R 2 ] = 
bands(own, traf.O, T, gs(own), MinGs, (8) 

MaxGs, GsStep, HAccel, 0, 0, GsPos, GsVel), 

and 

vs_bands(own, traf.T) : set[R 2 ] = 
bands(own, traf.O, T, vs(own), MinVs, (9) 

MaxVs.VsStep, VAccel.0,0, VsPos, VsVel), 

where 

• trk, gs, and vs are functions that compute the 
current track, ground speed, and vertical speed 
of an aircraft, respectively; 

• MinGs and MaxGs are the minimum and maxi- 
mum ground speed, respectively; 

• MinVs and MaxVs are the minimum and maxi- 
mum vertical speed, respectively; 

• TrkStep, GsStep, VsStep are the track, ground 
speed, and vertical speed steps, respectively; 

• TrkPos.TrkVel arc functions that kinematically 
project the relative position and velocity of the 
aircraft for a given time and constant turn rate; 

• GsPos, GsVel are functions that kinematically 
project the relative position and velocity of the 
aircraft for a given time and constant horizontal 
acceleration; 

• VsPos, VsVel are functions that kinematically 
project the relative position and velocity of the 
aircraft for a given time and constant vertical 
acceleration. 

Recovery bands are computed using the algo- 
rithm rec_bands, defined by Formula (10), which is 
based on the generic algorithm bands. The algorithm 
rec_bands has as inputs: 

• the state of the ownship, own, 

• a set of states for all traffic aircraft, traf, 

• a lookahead time, T, 

• a current maneuver value for the ownship, c, 

• respective minimum and maximum values for the 
maneuvers, u min and w max , 

• a maneuver step, e, 

• an acceleration for the maneuver, a 

• respective horizontal and vertical distances, D 
and H , and 

• respective position and velocity functions, p and 


v, which kinematically project the relative state 
of the aircraft for a given time using a constant 
acceleration. 

The algorithm rec_bands returns a set of intervals 
and a time. 

rec_bands(own, traf, T, c, u min , u m „ , e, a, 
D,H,p,v) : [set[R 2 ],R] = 
let f5 = bands(own, traf.O, T,c, 
a, D, H,p,v) in 
if [n m j n , U in ax j c then 

let t - min {[u min ,M max ] $£ 

0 <B<T 

bands(own, traf, B , T, c, 

^min? ^max? D,//,p,v)} in (10) 

if t T th^n ([w m j n , w max ], 1) 
else [bands(own, traf,^,r,c, 

^min? ^max? D, H,p,v),t] 

endif 
else 
(AO) 
endif 

The maneuver ranges computed by the algo- 
rithm rec_bands correspond to intervals of type 
CONFLICT. Intervals of type NONE and RECOVERY 
are computed as follows. If the time computed by 
rec_bands is zero, the complement of the union of 
intervals computed by rec_bands, with respect to 
I u,mm u, m „ |, corresponds to intervals of type NONE. If 
the time computed by rec_bands is negative, the 
whole interval [ w min , M max | is of type CONFLICT and 
no recovery is possible within the performance limits 
of the aircraft for the given lookahead time T. If 
the time computed by rec_bands is greater than 
zero, the complement of the union of the intervals 
computed by rec_bands, with respect to [M mi „,M max ], 
corresponds to bands of type RECOVERY. For a band 
of type RECOVERY, well -clear status will be recovered 
at the time computed by the algorithm. The recovery 
maneuvers are guaranteed to satisfy a given minimum 
horizontal separation, I), and vertical separation, H. 

The algorithms that compute track, ground 
speed, and vertical speed for a given lookahead time, 
T and respective minimum horizontal and vertical 



separation, D and H , are defined using the following 
functions. 

rec_trk_bands(own, traf,r,D,//) : 

[set[R 2 ],R] = 

rec_bands(own, traf, 0, T, trk(own), - n , n, (11) 
TrkStep, TurnRate, D, H. 

TrkPos,TrkVel), 

rec_gs_bands(own, traf.T) : 

[set[R 2 ],R] = 

rec_bands(own, traf, 0, T , gs(own), MinGs, ( 12) 
MaxGs, GsStep, HAccel, D, H. 

GsPos,GsVel), 

and 

rec_vs_bands(own, traf, T ) 

[set[R 2 ],R] = 

rec_bands(own, traf, 0, T, vs(own), MinVs, (13) 
MaxVs,VsStep, VAccel, D, H. 

VsPos, VsVel). 

Alerting Logic 

An alerting logic provides an indication of the 
severity of the proximity of a particular traffic aircraft 
to the ownship. This indication is given as a numerical 
value between zero, representing no severity, and 
a value, k, representing the maximally-severe alert 
level. The greater the numerical value, the greater 
the severity level. DAIDALUS implements two par- 
ticular alerting functions, thresholds_alerting 
and bands_alerting, respectively referred to as 
thresholds-based alerting and bands-based alerting. 
Both functions have as inputs the states of the ownship 
and the intruder aircraft. A high-level description of 
these functions follows, while the detailed specifica- 
tions are presently under development. 

The function thresholds_alerting also has 
as input a list of threshold values and alerting times 
denoted as { DMOD, HMD, ZTHR, TAUMOD, TCOA, T } i < ,• < k . 
It is assumed that the i-th threshold values are greater 
than or equal to the (i + l)-th threshold values. The 
function thresholds_alerting returns the first in- 
dex, i, in the list such that detection(own, int,0,7/) 


returns true for DMOD,-, HMD/, ZTHR/, TAUMOD/, and 
TCOA/. The function returns zero if no such index 
exists. 

The most severe type of alert for the func- 
tion bands_alerting corresponds to k = 4. Further- 
more, the alerting logic implemented by this function 
uses only one set of threshold values: those values 
used to define the well-clear violation volume. The 
value returned by bands_alerting depends on the 
particular' type of maneuver guidance computed by 
the DAIDALUS determine processing logic. Conse- 
quently, there is a correspondence in severity between 
the computed alert type and the maneuver guidance 
presented to the pilot. Finally, the function imple- 
ments the following prioritized list of conditions. 

1) If no bands are computed by bands for a con- 
figurable alerting time parameter then it returns 
0 . 

2) If time to violation is less than a configurable 
time parameter then it returns 4. 

3) If time to violation is less than alerting time 
then it returns 3. 

4) If preventive bands are computed within con- 
figurable thresholds then it returns 2. 

5) In any other case, it returns 1. 

Verification and Validation 

The DAIDALUS software was verified using the 
approach called model animation [6]. In general, the 
approach involves first creating formal models of the 
algorithms to be verified, where the properties that 
the algorithms are intended to possess are formally 
proven to hold. Secondly, the formal models are 
translated into the target programming language of the 
implementation. Finally, both the formal models and 
their implementations are each executed on a suite of 
test cases, and the outputs are compared to determine 
if they agree to a specified precision. 

The formal models of the algorithms used in the 
DAIDALUS are specified in PVS, which is both a 
specification language and interactive theorem proven 
Throughout the theorem proving functionality of the 
PVS, many properties of the algorithms are proven 
as theorems. Examples of such theorems are correct- 
ness properties of the algorithms, as well as several 
statements from the DAA functional requirements. 
For instance, there is a theorem concerning the track 
bands algorithm that states that for any track step 


9 



maneuver, the corresponding interval is CONFLICT 
exactly when performing the maneuver would cause 
a loss of well-clear with another aircraft before the 
lookahead time. These formal proofs give a high level 
of assurance that the formal models of the algorithms 
are correct. 

The reference implementations of DAIDALUS, 
written in Java and C++, closely mirror the formal 
models while taking advantage of the more expressive 
nature of these programming languages. In order to 
assure that the implementations conform to the formal 
models, both the formal models and their implementa- 
tions were both tested on a set of 95 aircraft encounter 
scenarios. These scenarios were developed jointly by 
the USAF, Lincoln Laboratory, and NASA as a suite 
of stressing cases for assessing the DAA functionality. 

For some of the functionality provided by 
DAIDALUS, testing whether the formal models and 
their reference implementations agree or not is 
straightforward. As an example, the well-clear vio- 
lation logic computes a boolean value indicating the 
well-clear status between the ownship and a traffic 
aircraft. Testing if this logic is correctly implemented 
in software amounts to check if the same boolean 
value is computed in both the formal model and 
the software implementation. On the other hand, 
for algorithms that compute a numerical value the 
verification is more complicated since the outputs, 
although logically equivalent, may be different due to 
numerical approximations. To mitigate this, a Monte 
Carlo approach was used to validate the bands al- 
gorithms. After computing bands using the software 
implementations of the algorithms and their formal 
models, 400 random sample points in each band were 
chosen, and each point was tested to determine if the 
computed regions agree between the implementations. 
If more than 1% of the points fail to agree, then the 
bands were determined to be different. 

The implementations were tested on the 95 sce- 
narios, each with on average 180 time steps for test- 
ing. Each scenario was tested for computing conflict 
bands only, and with recovery bands. Overall, less 
than 0.1% of the examined steps were considered to 
disagree, giving a high level of confidence that the 
implementations match the formal models, and hence 
perform as desired. 


Conclusion 

DAIDALUS is a reference implementation of 
NASA’s detect and avoid concept for the integration 
of UAS into the NAS. The underlying core logic of 
DAIDALUS consists of: (1) a mathematical definition 
of a well-clear boundary that resides inside a self- 
separation volume, (2) algorithms for determining if 
aircraft pairs have violated this well-clear boundary 
or are predicted to violate this boundary within a 
given lookahead time, and (3) a determine-processing 
functionality that provides both maneuver guidance 
to remote pilots and an alerting logic that provides 
an indication of severity of the proximity of traffic 
aircraft to the ownship. The algorithms implemented 
in DAIDALUS have been formally specified and 
verified for correctness in PVS. The software im- 
plementations have been validated using 95 stressing 
scenarios jointly developed by US Air Force Research 
Laboratory, MIT Lincoln Laboratory, and NASA. The 
DAIDALUS reference implementation is under con- 
sideration for inclusion as reference implementation 
in Minimum Operational Performance Standards for 
UAS developed by RTCA Special Committee 228. 

DAIDALUS has been integrated into NASA’s 
Multi Aircraft Control System (MACS) 4 , a software 
environment for rapid prototyping of air traffic con- 
cepts. This software integration is currently used 
in human-in-the-loop experiments at NASA Langley 
Research Center to assess controller and pilot accept- 
ability of NASA’s DAA concept for UAS [7], 
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Appendix 


det_WCV(s ,s z ,v,v z ,B,T) : R 2 = 
let \t i, ti\ = det_VW CV(s z ,v z ,B,T) in 
if r i > ?2 then [T,B] 
elseif t\ = t 2 and 
Horizontal_WCV(s + ?iV,v) then 
Li, Cl (14) 

elseif t\ = t 2 then [T, B] 
else let [t in ,t out ] = 

det_HWCV(s + ?iv,v,t 2 -U) in 

Uin + 1 1 , ? out + t\ 

endif. 


det_VWCV(s z , v z , B, T) : R 2 = 
if v z = 0 and | s z \ < ZTHR then [B, T] 
elseif v z - 0 then [ T , B] 
else let hi,U] = 

vertical_entry_exit(s z ,v z ) in (15) 

if T < t\ or ?2 < B then [T, B] 
else [max(B,fi),min(r,t 2 )] 
endif 
endif. 

vertical_entry_exit(s z ,v z ) : R 2 = 

let H = max(ZTHR,TCOA|v z |) in (16) 

r -signv-H-^ signv-ZTHR-^- 1 

L V- ’ v z J • 


det_HWCV(s, v.T) : R 2 = 
let a = v 2 , 

b — 2(s • v) + TAUM0D • v 2 , 
c = s 2 + TAUM0D • (s • v) - DM0D 2 in 
if a = 0 and ||s|| < DM0D then [0.T] 
elseif ||s|| < DM0D then [0,min(7\ 0(s,v, 1))] 
elseif s • v > 0 or b 2 - 4a c < 0 then [T, 0] 
-b-sjb 2 -4 ac 

else let t = in 

2a 

if A(s,v) > 0 and t < T then 
[max(O,/‘),min(r,0(s,v, 1))] 
else [T,0] 
endif 
endif. 


0(s,v,D, e) 


-s ■ v + es/A(s,v, D) 


(18) 


A(s,v,D) = D 2 v 2 -(s-v ± ) 2 . (19) 
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lef t_ lx 1 (s, v, s z ,v z , B, T, c, u min , w max , e, 

a, D, H, p, v) : set[R 2 ] = 

, e . 

let t e = — in 
a 

t := 0; 
u := c; 

/ 3 := 0 ; 

while u < w max and t <T do 
(s t ,s zt ) =p(s,\,a,t); 

(vt,v zt ) = v(s ,\,a,t); 
if t < B then 

if ||s,|| < D and | s z t \ < H then 
f3 . [3 U { \n ■ w max ] } , 

ll . Wmax s 

endif 

elseif WCV(s f , s Zf ,v f , v Zf ) then 
/3 := (3 U {[w,w max ]}; 

ll . w max , 

elseif WCV(St,s zt ,Vt,v zt ,0,T-t) then 
(3 '.= f3 U {[u,u + e]}; 
w := u + e; 
endif 
/ ; = t 1 

endwhile 
return /3; 


( 20 ) 


right_lxl(s, v, s z , v z , B, T, c, u m ,„, w max , e, 

a, D, H, p, v) : set[R 2 ] = 

, e . 

let t e = — in 
a 

t := 0; 
u := c; 

/ 3 := 0 ; 

whilew > Wmin and t < T do 
(s t ,s zt ) = p(s,\,-a,t); 

(yt,v zt ) = v(s, v, -a,t); 
if t < B then 

if IM < D and | s z t \ < H then 
f3 . [3 U { [w m j n , w] } , 

ll . W m j n , 

endif 

elseif WCV(S;, s zt ,\ t ,v zt ) then 
f3 := (3 U{[u min ,u]} 
u . ii m j n , 

elseif WCV(s f ,s Zf ,v f ,v Zf ,0,r-0 then 
(3 := f3 U {[w - e,u]j 
u := u - e\ 
endif 
t ; = t -f t e \ 
endwhile 
return (3; 


( 21 ) 


12 



